NASA-IMPACT / veda-backend

Backend services for VEDA
Other
13 stars 5 forks source link

Prototype authentication with veda-auth-central Keycloak #373

Open smohiudd opened 6 months ago

smohiudd commented 6 months ago

What

The veda-auth-central team is working on a SSO solution using Keycloak. This will eventually be the authentication solution for all VEDA services.

@alukach started a sample app which reflects how our APIs may use veda-auth-central Keycloak authentication. This solution needs to be prototyped in the Veda STAC API in place of our current Cognito authentication.

PI Objective

Objective DS-2: STAC Admin NASA-IMPACT/veda-architecture#454

Acceptance Criteria

Veda-auth-central authentication integrated with the following:

smohiudd commented 5 months ago

From the veda-auth-central team:

smohiudd commented 3 months ago

Notes from discussion with Auth Central team Aug 2 meeting:

smohiudd commented 3 months ago

Prior to veda-auth-central integration with veda-backend we'll need to determine the appropriate Group and Scopes that will be needed.

There are currently six services in veda that require auth:

  1. STAC api
  2. Ingest API.
  3. Workflows API
  4. STAC Admin
  5. SM2A
  6. Grafana (Not using Scopes, only Groups)

Both STAC and Ingest api services allow us to create, update & delete STAC records in the catalog.

Should we have the same Scopes for both APIs? for example (note: @alukach I'm not sure if this is the correct naming convention for scopes):

[
  "veda:stac:read",
  "veda:stac:create",
  "veda:stac:update",
  "veda:stac:delete"
]
smohiudd commented 3 months ago

See this spreadsheet for group and scope details for the applications listed above: https://docs.google.com/document/d/1vwqLwVSZH6ZbofWFcLC9CDVueynoVHHHCPdZLK0n1J8/edit#heading=h.pqt43d9p5xzt

smohiudd commented 3 months ago

Draft PR: https://github.com/NASA-IMPACT/veda-backend/pull/424 Deployed to: https://stacadmin.openveda.cloud/api/stac/docs, https://stacadmin.openveda.cloud/api/ingest/docs

smohiudd commented 3 months ago

Following ADR review meeting on Aug 29 (Meeting notes), the veda auth central team will be working with technical teams to validate the current auth approach or work on an alternative. Given that changes to veda-auth-central are possible, I suggest putting the prototyping on hold until there is more certainty.

smohiudd commented 2 months ago

veda-auth-central has been integrated into the stac and ingest endpoints in this stack: https://stacadmin.openveda.cloud/api/stac/docs